[Samba] Unable to set SeDiskOperatorPrivilege

Rowland penny rpenny at samba.org
Fri Jan 15 12:24:57 UTC 2016 

On 15/01/16 12:08, Henry McLaughlin wrote:
>
>
> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 15/01/16 11:12, Henry McLaughlin wrote:
>
>
>             Have you by any chance given Administrator a uidNumber ?
>
>
>         Yes, 10000
>
>         Was that wrong?
>
>
>
>
>     Well, in my opinion, yes. By giving Administrator a uidNumber, you
>     have, as far as Unix is concerned, turned it into a normal user
>     that doesn't have the rights to do anything.
>
>     Is this on a DC ? if so, remove the uidNumber and it should start
>     working again, if it is a domain member, again remove the
>     uidNumber and add this line to smb.conf
>
>     username map = /etc/samba/samba_usermapping
>
>     Create the file '/etc/samba/samba_usermapping' with this content:
>
>     !root = SAMDOM\Administrator SAMDOM\administrator
>
>     Replace 'SAMDOM' with your workgroup
>
>     This will map 'Administrator' to the Unix 'root' user
>
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
> Thanks Rowland this worked however I am totally confused as to when a 
> Windows User/Groups needs to be given a UNIX id in ADUG. Is there a 
> reference out the I can read, study & understand?

It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix 
automatically. On a domain member, you have a choice of backends, but 
the two main ones are 'rid' & 'ad'. The 'rid' backend works similar 
(from an initial view point) to the DC and maps the users & groups to 
Unix. The 'ad' backend is different, any user that you want to be 
visible to Unix must be given a uidNumber attribute, this number must be 
inside the range that is set in smb.conf, you must also give Domain 
Users (at least) a gidNumber attribute, this must also be inside the 
range set in smb.conf, if you want any other groups to be visible to 
Unix, these also must be given a gidNumber.

Any user or group that is visible to Unix, works just like any other 
Unix user or group and only has the permissions you assign to them.

Rowland

More information about the samba mailing list